[PATCH] bridge: disable IPv6 router advertisements

Signed-off-by: Samuel Karp <skarp@amazon.com>
Gbp-Pq: Name cve-2020-13401-disable-IPv6-router-advertisements.patch

diff --git a/libnetwork/drivers/bridge/bridge.go b/libnetwork/drivers/bridge/bridge.go
index 535da3c1ad712629261d606de6cad72340c60888..3288ff865295f0019efb8b40885732b85e99136c 100644 (file)
--- a/libnetwork/drivers/bridge/bridge.go
+++ b/libnetwork/drivers/bridge/bridge.go
@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {
        bridgeAlreadyExists := bridgeIface.exists()
        if !bridgeAlreadyExists {
                bridgeSetup.queueStep(setupDevice)
+               bridgeSetup.queueStep(setupDefaultSysctl)
+       }
+
+       // For the default bridge, set expected sysctls
+       if config.DefaultBridge {
+               bridgeSetup.queueStep(setupDefaultSysctl)
        }
 
        // Even if a bridge exists try to setup IPv4.

diff --git a/libnetwork/drivers/bridge/setup_device.go b/libnetwork/drivers/bridge/setup_device.go
index a9dfd06771f8f68eff1e4e13ae60b5ccaf51cb17..9822236dfd15aa85bdb8e150e98bcf89ebf1839b 100644 (file)
--- a/libnetwork/drivers/bridge/setup_device.go
+++ b/libnetwork/drivers/bridge/setup_device.go
@@ -2,6 +2,9 @@ package bridge
 
 import (
        "fmt"
+       "io/ioutil"
+       "os"
+       "path/filepath"
 
        "github.com/docker/docker/pkg/parsers/kernel"
        "github.com/docker/libnetwork/netutils"
@@ -50,6 +53,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error {
        return err
 }
 
+func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error {
+       // Disable IPv6 router advertisements originating on the bridge
+       sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra")
+       if _, err := os.Stat(sysPath); err != nil {
+               logrus.
+                       WithField("bridge", config.BridgeName).
+                       WithField("syspath", sysPath).
+                       Info("failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra")
+               return nil
+       }
+       if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil {
+               return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err)
+       }
+       return nil
+}
+
 // SetupDeviceUp ups the given bridge interface.
 func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error {
        err := i.nlh.LinkSetUp(i.Link)